clamav icon indicating copy to clipboard operation
clamav copied to clipboard

Published 20 hours ago verified publisher icon Cisco-Talos

Clamonacc.service not waiting for clamav-daemon.service

Open HanMoeHtet opened this issue 2 years ago • 2 comments

Describe the bug

Clamonacc.service is not waiting for clamav-daemon.service. clamd and freshclam works but not clamonacc. I can start clamonacc.service manually.

How to reproduce the problem

I have installed clamav clamav-daemon on Ubuntu 20.04.3 and configured clamonacc.

Clamd config 
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
OnAccessPrevention yes
OnAccessIncludePath /home//clamav-test
OnAccessExcludeUname clamav
Clamav-daemon.service (defaut) 
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Service]
ExecStart=/usr/sbin/clamd --foreground=true


Reload the database


ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
TimeoutStartSec=420


[Install]
WantedBy=multi-user.target
Clamonacc.service 
# /etc/systemd/system/clamonacc.service
[Unit]
Description=ClamAV On Access Scanner
Requires=clamav-daemon.service
Wants=clamav-daemon.service
After=clamav-daemon.service

[Service]
ExecStart=/usr/sbin/clamonacc --foreground=true --log=/var/log/clamav/clamonacc.log
ExecStop=/bin/kill -SIGKILL $MAINPID
StandardOutput=syslog
Restart=on-failure
RestartSec=120


[Install]
WantedBy=multi-user.target
sudo journalctl -b | grep clam 
Feb 10 10:26:11 [kumo.dev](http://kumo.dev/) systemd[1]: Configuration file /etc/systemd/system/clamonacc.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Feb 10 10:26:14 [kumo.dev](http://kumo.dev/) audit[945]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=945 comm="apparmor_parser"
Feb 10 10:26:14 [kumo.dev](http://kumo.dev/) kernel: audit: type=1400 audit(1676001374.865:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/clamd" pid=945 comm="apparmor_parser"
Feb 10 10:26:14 [kumo.dev](http://kumo.dev/) audit[961]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" pid=961 comm="apparmor_parser"
Feb 10 10:26:15 [kumo.dev](http://kumo.dev/) clamonacc[1084]: ERROR: ClamClient: Could not connect to clamd, Couldn't connect to server
Feb 10 10:26:15 [kumo.dev](http://kumo.dev/) clamonacc[1084]: ERROR: Clamonacc: daemon is local, but a connection could not be established
Feb 10 10:26:15 [kumo.dev](http://kumo.dev/) systemd[1]: clamonacc.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Feb 10 10:26:15 [kumo.dev](http://kumo.dev/) systemd[1]: clamonacc.service: Failed with result 'exit-code'.
Feb 10 10:26:20 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:20 2023 -> ClamAV update process started at Fri Feb 10 10:26:20 2023
Feb 10 10:26:21 [kumo.dev](http://kumo.dev/) whoopsie-upload-all[1914]: /var/crash/_usr_sbin_clamonacc.0.crash already marked for upload, skipping
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 -> ^Can't query [current.cvd.clamav.net](http://current.cvd.clamav.net/)
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 -> ^Invalid DNS reply. Falling back to HTTP mode.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 -> ^FreshClam previously received error code 429 or 403 from the ClamAV Content Delivery Network (CDN).
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 -> This means that you have been rate limited or blocked by the CDN.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->  1. Verify that you're running a supported ClamAV version.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     See https://docs.clamav.net/faq/faq-eol.html for details.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->  2. Run FreshClam no more than once an hour to check for updates.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     FreshClam should check DNS first to see if an update is needed.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->  3. If you have more than 10 hosts on your network attempting to download,
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     it is recommended that you set up a private mirror on your network using
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     CDN and your own network.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->  4. Please do not open a ticket asking for an exemption from the rate limit,
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 ->     it will not be granted.
Feb 10 10:26:30 [kumo.dev](http://kumo.dev/) freshclam[1901]: Fri Feb 10 10:26:30 2023 -> ^You are still on cool-down until after: 2023-02-10 12:42:25
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: Global time limit set to 120000 milliseconds.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: Global size limit set to 104857600 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: File size limit set to 26214400 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: Recursion level limit set to 16.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: Files limit set to 10000.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxPartitions limit set to 50.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxIconsPE limit set to 100.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: MaxRecHWP3 limit set to 16.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: PCREMatchLimit limit set to 10000.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: PCRERecMatchLimit limit set to 5000.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Limits: PCREMaxFileSize limit set to 26214400.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Archive support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> AlertExceedsMax heuristic detection disabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Heuristic alerts enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Portable Executable support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> ELF support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Mail files support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> OLE2 support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> PDF support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> SWF support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> HTML support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> XMLDOCS support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> HWP3 support enabled.
Feb 10 10:26:39 [kumo.dev](http://kumo.dev/) clamd[1082]: Fri Feb 10 10:26:39 2023 -> Self checking every 3600 seconds.

HanMoeHtet avatar Feb 10 '23 04:02 HanMoeHtet

For now I am using

ExecStartPre=/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl  ]; do sleep 1; done"

And also I have to use SIGKILL instead SIGTERM to stop clamonacc process. It only happens when clamonacc has found one virus (in this case a eicar.txt file). If not it can be stopped with SIGTERM. Is this intended behavior?

I think registering clamonacc as systemctl service should be provided in the docs.

HanMoeHtet avatar Feb 10 '23 09:02 HanMoeHtet

And also I have to use SIGKILL instead SIGTERM to stop clamonacc process. It only happens when clamonacc has found one virus (in this case a eicar.txt file). If not it can be stopped with SIGTERM. Is this intended behavior?

I have the same problem. Once clamonacc has found a file, it can no longer be terminated via SIGTERM. The init system waits for its internal timeout and then uses SIGKILL. Is there already a solution to this?

Stefomat avatar Oct 24 '23 13:10 Stefomat

And also I have to use SIGKILL instead SIGTERM to stop clamonacc process. It only happens when clamonacc has found one virus (in this case a eicar.txt file). If not it can be stopped with SIGTERM. Is this intended behavior?

I was unable to reproduce this issue, but I have no complaint adding the change in #1164:

ExecStop=/bin/kill -SIGKILL $MAINPID

Will merge that.

Regarding the original complaint where clamonacc was not waiting for clamd to finish starting, it seems we already have the ExecStartPre command as described. So I'll close this ticket.

But another option would have been to use:

ExecStart=@prefix@/sbin/clamonacc -F --log=/var/log/clamav/clamonacc.log --move=/root/quarantine --ping 120 --wait

The ping-and-wait feature would have clamonacc check for a clamd response once a second for 120 seconds. If clamd responds, clamonacc would finish loading. If clamd does not respond, clamonacc load would fail.

micahsnyder avatar Apr 26 '24 18:04 micahsnyder

To be honest, I think it's a bad idea to use SIGKILL directly in the service unit. This will terminate clamonacc with SIGKILL every time, although this should only be used as a last resort for unresponsive processes. The clamonacc process should rather react correctly to SIGTERM, even if it has found a virus.

Stefomat avatar Apr 27 '24 10:04 Stefomat

To be honest, I think it's a bad idea to use SIGKILL directly in the service unit. This will terminate clamonacc with SIGKILL every time, although this should only be used as a last resort for unresponsive processes. The clamonacc process should rather react correctly to SIGTERM, even if it has found a virus.

I don't disagree, though I am also not sure how much it matters. I also was not able to reproduce the described bug, regardless if the clamonacc process had found malware.

micahsnyder avatar May 06 '24 20:05 micahsnyder